Despite Major Botnet Takedown, Authorities Urge Caution

Emotet, one of the world’s largest and most sinister botnets, was taken down in January following a two-year cooperative effort by international law enforcement agencies and private security researchers. Although it represents a significant victory, authorities warn that cybercriminals have already pivoted to other platforms for the widespread distribution of malware.

Emotet emerged in 2014 as a banking trojan, but its operators updated and reconfigured it repeatedly over the years. In its latest incarnation as a for-hire email spamming botnet, it served as a platform for the mass distribution of ransomware and other types of malware. Ukrainian law enforcement officials say it caused $2.5 billion in damages over the past five years.

Law enforcement agencies from the U.S., U.K, Canada, France, Germany, Lithuania, the Netherlands and Ukraine coordinated with private-sector cybersecurity professionals to disrupt Emotet’s command-and-control infrastructure. Code-named Operation Ladybird, the effort involved taking control of several hundred servers located in more than 90 countries. A video of one raid released by Ukrainian law enforcement shows officers seizing computer equipment, cash and gold bars.

A Stealthy Threat

The Emotet botnet operators gained a reputation for being particularly adept at evading spam filters, antivirus and antimalware software. Once installed, Emotet established a backdoor through which criminal groups could load additional trojans, ransomware and bot recruiters.

The FBI reports that Emotet was responsible for attacks in nearly every sector within the U.S., including businesses of all sizes, government agencies, school systems, healthcare organizations, nonprofits and even individuals. Officials say it was particularly active since the onset of the pandemic, infecting more than 1.6 million computers and causing hundreds of millions of dollars in damage since April 2020.

Although authorities believe they have effectively shut down the Emotet network, they also acknowledge that criminal organizations will likely reestablish operations with other malware-as-a-service providers. In fact, the FBI is now alerting organizations of a spike in phishing emails designed to spread TrickBot, another gateway for loading malware.

Like Emotet, TrickBot is a polymorphic malware, capable of continually changing its base code to avoid signature-based defenses. It alters identifiable characteristics such as file names or encryption keys to conceal itself from traditional antivirus and antimalware programs. It is also modular, meaning components can be swapped in and out depending on what an attacker wants to achieve. Worm-like characteristics allow it to rapidly spread through a network once a connected machine is infected.

Comeback Possible

Analysts note that the TrickBot botnet was also disrupted by authorities last October, but it quicky resurfaced and is now the most popular malware among cybercriminals, according to Check Point’s security team. That creates concern that Emotet could make a similar comeback.

Federal cybersecurity experts say organizations must remain vigilant and take precautions to minimize their risk. Signature-based antivirus software remains an essential security measure, but organizations should also implement endpoint security solutions that incorporate behavioral-based scanning to identify and block malware at the network gateway.

It’s also a good idea to implement filters at the email gateway to block or quarantine suspicious messages before they are delivered to their intended recipient. Regular awareness training can further bolster an organization’s defenses by teaching employees how to identify and avoid social engineering and phishing scams.

Although authorities have disrupted one of the major delivery mechanisms for ransomware and other malicious spam, cybercriminals will still find ways to launch attacks. Give us a call to discuss ways we can help you improve your defenses.